From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 31 Jul 2012 15:22:51 -0400
Subject: [refpolicy] kdialog and Chromium
In-Reply-To: <20120731191312.GB17454@siphos.be>
References: <201207271614.43908.russell@coker.com.au>
	<20120727091218.GB13778@siphos.be> <501824C7.6020505@tresys.com>
	<20120731191312.GB17454@siphos.be>
Message-ID: <5018308B.4040008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/31/12 15:13, Sven Vermeulen wrote:
> On Tue, Jul 31, 2012 at 02:32:39PM -0400, Christopher J. PeBenito wrote:
>> On 07/27/12 05:12, Sven Vermeulen wrote:
>>> As I said, I'm working on a (separate[1]) domain for chromium and hit similar
>>> issues too (for instance when accessing ~/.pki) since I am trying to get the
>>> browsers running without requiring access to user_home_t stuff.
>>>
>>> Perhaps we can allow for a sharable lock file type (kde_lock_t) and allow
>>> the domain search rights in the kde_home_t stuff (I'm assuming these are the
>>> domains, I don't have any kde_* stuff here) and an automated file transition
>>> when a file with the name "kdebugrc.lock" is written in kde_home_t to
>>> kde_lock_t ?
>>
>> At the moment, I don't have any suggestions beyond something like this.  Not
>> unless you want a conditional for writing out files to the home dir.
> 
> I'm actually more inclined (and am trying to) support a downloads type where
> browsers have the necessary rights to, but nowhere else. Browsers are a too
> public attack vector lately so the less I need it to write (or even read)
> user home content the better.

I can go for that solution too... like a mozilla_downloads_t, user_downloads_t, or similar.

>>> [1] Chromium itself can be built with SELinux-enabled, but then requires
>>> that the policy supports a domain called chromium_renderer_t (which it
>>> dynamically transitions to). It doesn't make sense to include this in the
>>> mozilla_t domain.
>>
>> Is chromium_renderer_t hard coded into Chromium or does it sanely expect an
>> appconfig file (like initrc_context or userhelper_context)?
> 
> It's currently hardcoded, but I think it is because of inexperience:
> 
> ~$ grep -HR chromium_renderer_t ~/Development/build/tmp/chromium-20.0.1132.43/
> content/browser/zygote_main_linux.cc:  SELinuxTransitionToTypeOrDie("chromium_renderer_t");

:(

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com